#!/bin/bash -x # source the debconf library if [ -e "/usr/share/debconf/confmodule" ]; then . /usr/share/debconf/confmodule else echo "debconf must be installed. Exiting." exit 1 fi TOMCAT=tomcat9 OLD_TOMCAT=tomcat7 TOMCAT_USER=tomcat TOMCAT_HOME=/var/lib/${TOMCAT} APACHE_CONF=/etc/apache2 JK_CONF=portal_jk.conf PG=postgresql PG_USER=postgres if [ -e "/etc/postgresql/14/main" ]; then PG_CONF=/etc/postgresql/14/main PG_DATA=/var/lib/postgresql/14/main else PG_CONF=/etc/postgresql/10/main PG_DATA=/var/lib/postgresql/10/main fi DB_NAME=oauth DB_USER=oa4mp DB_PASS=oa4mp # Reminder: don't echo to stdout, it messes up debconf D1_LOG_DIR=/var/log/dataone if [ ! -e ${D1_LOG_DIR} ]; then mkdir -p ${D1_LOG_DIR} fi chown -R ${TOMCAT_USER}:${TOMCAT_USER} ${D1_LOG_DIR} # functions to echo to STDERR or the install log instead of STDOUT logError () { echo -e "$@" 1>&2 } log () { now=$(date "+%Y-%m-%d %H:%M:%S %Z: ") echo -e "${now}$@" >> ${D1_LOG_DIR}/dataone-cn-os-core.install.log } LONG_DATE=`date +%Y%m%d%H%M%S` db_get dataone-cn-os-core/cn.router.hostname HOST_NAME=${RET} KEY_DIR=/etc/letsencrypt/live/${HOST_NAME} CERT_DIR=/etc/letsencrypt/live/${HOST_NAME} HAZELCAST_PORT=5703 SOURCE_DIR=/usr/share/portal SCRIPT_DIR=${SOURCE_DIR}/debian D1_CONF=/etc/dataone VAR_DATAONE=/var/dataone ############################################################################### # Set up hazelcast configuration ############################################################################### HAZELCAST_INTERFACE="" SPACER=" " db_get dataone-cn-os-core/cn.iplist IPLIST=(${RET}) for ip in ${IPLIST[@]} do IP_XML_NODE="${ip}<\/interface>" HAZELCAST_INTERFACE=${HAZELCAST_INTERFACE}${IP_XML_NODE}'\n'${SPACER} done ## replace the string 127.0.0.1 with the environment's iplist ## 127.0.0.1 sed -i.bak --regexp-extended "s/127\.0\.0\.1<\/interface>/${HAZELCAST_INTERFACE}/;" ${D1_CONF}/portal/hazelcast.xml ## open up the correct port for hazelcast for ip in ${IPLIST[@]} do log "Adding 'ufw allow to any port ${HAZELCAST_PORT} from ${IP_ADDRESS}' rule" ufw allow to any port ${HAZELCAST_PORT} from ${ip} # open postgres port for this IP log "Adding 'ufw allow to any port 5432 from ${ip}' rule" ufw allow to any port 5432 from ${ip} done ############################################################################### # Install portal war file ############################################################################### ## Stop tomcat log "Stopping Tomcat" systemctl stop ${TOMCAT} ## backup the old war file if [ -e ${TOMCAT_HOME}/webapps/portal.war.current ] then log "Backing up ${TOMCAT_HOME}/webapps/portal.war.current to ${TOMCAT_HOME}/webapps/portal.war.${LONG_DATE}" mv ${TOMCAT_HOME}/webapps/portal.war.current ${TOMCAT_HOME}/webapps/portal.war.${LONG_DATE} fi ## remove the portal application directory if [ -d ${TOMCAT_HOME}/webapps/portal ] then log "Removing the old portal application directories" rm -rf ${TOMCAT_HOME}/webapps/portal fi ## copy the new war file into the webapps directory log copying new portal.war file to ${TOMCAT_HOME}/webapps/portal.war cp ${SOURCE_DIR}/portal.war ${TOMCAT_HOME}/webapps/portal.war ## expand the war file CURR_DIR=`pwd` ## make portal directory and extract portal.war into it. log "Making portal application directory: ${TOMCAT_HOME}/webapps/portal" mkdir ${TOMCAT_HOME}/webapps/portal cd ${TOMCAT_HOME}/webapps/portal log "extracting portal.war into ${TOMCAT_HOME}/webapps/portal" jar -xvf ${TOMCAT_HOME}/webapps/portal.war > /dev/null mv ${TOMCAT_HOME}/webapps/portal.war ${TOMCAT_HOME}/webapps/portal.war.current cp ${SOURCE_DIR}/debian/log4j.properties ${TOMCAT_HOME}/webapps/portal/WEB-INF/classes chown -R ${TOMCAT_USER}:${TOMCAT_USER} ${TOMCAT_HOME}/webapps/portal log cd to $CURR_DIR cd $CURR_DIR ## replace the CN URL in the web.xml file to use a hostname as found by issuing a hostname -f ## replace the CILogon callback URLs for the portal in the config file db_get dataone-cn-os-core/cn.router.hostname HOSTNAME=$RET if [ "$HOSTNAME" != "" ] then sed -i.bak 's/\(https:\/\/\)cn\.dataone\.org/\1'${HOSTNAME}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml sed -i.bak 's/\(https:\/\/\)cn\.dataone\.org/\1'${HOSTNAME}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml else log "HOSTNAME (cn.router.hostname) cannot be set in ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml or ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml" fi ############# replace the java key store password in the client.xml file ###################### #first we will try to read it from the dataone-cn-os-core/cn.keystore.password db_get dataone-cn-os-core/cn.keystore.password #if it is blank, we will read it from the input form from the template JAVA_KEYSTORE_PASSWORD=$RET if [ "$JAVA_KEYSTORE_PASSWORD" = "" ] ;then db_get dataone-cn-portal/cn.keystore.password JAVA_KEYSTORE_PASSWORD=$RET db_reset dataone-cn-portal/cn.keystore.password fi sed -i.bak 's/\(password=\"\)JAVA_KEYSTORE_PASSWORD/\1'${JAVA_KEYSTORE_PASSWORD}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml ###########replace the "OLD_TOMCAT" by "TOMCAT" on the web.xml, client.xml and portal.properties################### sed -i.bak 's/\(\/var\/lib\/\)'${OLD_TOMCAT}'/\1'${TOMCAT}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/web.xml sed -i.bak 's/\(\/var\/log\/\)'${OLD_TOMCAT}'/\1'${TOMCAT}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml sed -i.bak 's/\(\/var\/lib\/\)'${OLD_TOMCAT}'/\1'${TOMCAT}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties ## switched postgresql host property to localhost (redmine 7943) so this config is not needed anymore ## configure to hit only a single PG instance - defualt to first in ip list #for ip in ${IPLIST[@]} #do # PG_HOST=${ip} # sed -i.bak 's/\(host="\)cn\.dataone\.org/\1'${PG_HOST}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml # break # just use the first #done ## configure the CILogon skin, default to PRODUCTION MYPROXY_ID=myproxy:oa4mp,2012:/client/42afd3477fac2eb9bfe99d0b409f6cc6 CILOGON_SKIN=DataONE db_get dataone-cn-os-core/cn.context.label CONTEXT_LABEL=$RET if [[ "${CONTEXT_LABEL}" == "DEV" ]]; then CILOGON_SKIN=DataONEDev MYPROXY_ID=myproxy:oa4mp,2012:/client/24a10c2cd8bda4e6b5cf244ab7532b2 fi if [[ "${CONTEXT_LABEL}" == "DEV2" ]]; then CILOGON_SKIN=DataONEDev2 MYPROXY_ID=myproxy:oa4mp,2012:/client/24a10c2cd8bda4e6b5cf244ab7532b2 fi if [[ "${CONTEXT_LABEL}" == "STAGE" ]]; then CILOGON_SKIN=DataONEStage MYPROXY_ID=myproxy:oa4mp,2012:/client/7a4c0539fc9eb5c066f1619d73f35c37 fi if [[ "${CONTEXT_LABEL}" == "STAGE2" ]]; then CILOGON_SKIN=DataONEStage2 MYPROXY_ID=myproxy:oa4mp,2012:/client/3f5b88459d880f550e31f485458fc459 fi if [[ "${CONTEXT_LABEL}" == "SANDBOX" ]]; then CILOGON_SKIN=DataONESandbox MYPROXY_ID=myproxy:oa4mp,2012:/client/2f533133f3e70b26e60492479aa8f0ef fi if [[ "${CONTEXT_LABEL}" == "SANDBOX2" ]]; then CILOGON_SKIN=DataONESandbox2 MYPROXY_ID=myproxy:oa4mp,2012:/client/66a303882b6e4bec1e91cbf2ccda1e86 fi ## replace in the config file sed -i.bak 's/\(\)DataONE/\1'${CILOGON_SKIN}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml ## set MyProxy id in the config file MYPROXY_ID=${MYPROXY_ID//\//\\\/} sed -i.bak 's/\(\)MYPROXY_ID/\1'${MYPROXY_ID}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml ## set the CILogon server correctly (they only have production now) CILOGON_SERVER=cilogon.org if [[ "${CONTEXT_LABEL}" == "PRODUCTION" ]]; then CILOGON_SERVER=cilogon.org fi sed -i.bak 's/\(https:\/\/\)cilogon\.org/\1'${CILOGON_SERVER}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml ## set up the MyProxy certificates # get the private key db_get dataone-cn-os-core/cn.server.privatekey.filename KEY_FILENAME=${RET} KEY_FILE=${KEY_DIR}'/'${KEY_FILENAME} PK8_KEY_FILE=${KEY_FILE}.pk8 # make PK8 format for private key openssl pkcs8 -topk8 -in ${KEY_FILE} -nocrypt -out ${PK8_KEY_FILE} chown ${TOMCAT_USER}:ssl-cert ${PK8_KEY_FILE} chmod 0650 ${PK8_KEY_FILE} # get the correct public key (NOT the cert) for the env db_get dataone-cn-os-core/cn.server.publiccert.filename SERVER_CERT_FILENAME=${RET} PUBLIC_SERVER_CERT=${CERT_DIR}'/'${SERVER_CERT_FILENAME} PUBLIC_KEY_FILE=${PUBLIC_SERVER_CERT}.pk8publickey openssl x509 -in ${PUBLIC_SERVER_CERT} -pubkey -noout > ${PUBLIC_KEY_FILE} # set these in the configuration PK8_KEY_FILE=${PK8_KEY_FILE//\//\\\/} sed -i.bak 's/\(\)PRIVATE_KEY_PATH/\1'${PK8_KEY_FILE}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml PUBLIC_KEY_FILE=${PUBLIC_KEY_FILE//\//\\\/} sed -i.bak 's/\(\)PUBLIC_KEY_PATH/\1'${PUBLIC_KEY_FILE}'/;' ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml ## configure the portal to use public cert and private key for token generation/verification PUBLIC_SERVER_CERT_ESC=${PUBLIC_SERVER_CERT//\//\\\/} KEY_FILE_ESC=${KEY_FILE//\//\\\/} sed -i.bak --regexp-extended "s/(cn\.server\.publiccert\.filename=).*/\1${PUBLIC_SERVER_CERT_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties sed -i.bak --regexp-extended "s/(cn\.server\.privatekey\.filename=).*/\1${KEY_FILE_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties ## configure the portal to use ORCID API credentials db_get dataone-cn-portal/orcid.client.id ORCID_CLIENT_ID=${RET} ORCID_CLIENT_ID_ESC=${ORCID_CLIENT_ID//\//\\\/} sed -i.bak --regexp-extended "s/(orcid\.client\.id=).*/\1${ORCID_CLIENT_ID_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties db_get dataone-cn-portal/orcid.client.secret ORCID_CLIENT_SECRET=${RET} ORCID_CLIENT_SECRET_ESC=${ORCID_CLIENT_SECRET//\//\\\/} sed -i.bak --regexp-extended "s/(orcid\.client\.secret=).*/\1${ORCID_CLIENT_SECRET_ESC}/;" ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties db_reset dataone-cn-portal/orcid.client.id # clear the cached orcid id db_reset dataone-cn-portal/orcid.client.secret # clear the cached orcid secret ## make client.xml and portal.property and backup file only readable by the owner chmod 600 ${TOMCAT_HOME}/webapps/portal/WEB-INF/client.xml* chmod 600 ${TOMCAT_HOME}/webapps/portal/WEB-INF/portal.properties* #################################################################################### # Create the /var/dataone/portal/storage directory as the asset file system storage #################################################################################### if [ ! -d ${VAR_DATAONE} ]; then mkdir ${VAR_DATAONE} fi if [ ! -d ${VAR_DATAONE}/portal ]; then mkdir ${VAR_DATAONE}/portal chown ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal else chown -R ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal fi if [ ! -d ${VAR_DATAONE}/portal/storage ]; then mkdir ${VAR_DATAONE}/portal/storage chown ${TOMCAT_USER}:${TOMCAT_USER} ${VAR_DATAONE}/portal/storage chmod 700 ${VAR_DATAONE}/portal/storage setfacl -d -m u::rwx ${VAR_DATAONE}/portal/storage fi ############################################################################### # Configure Tomcat ############################################################################### # Configure the context file log "Copying ${SCRIPT_DIR}/portal.xml to ${TOMCAT_HOME}/conf/Catalina/localhost/" cp ${SCRIPT_DIR}/portal.xml ${TOMCAT_HOME}/conf/Catalina/localhost/ # Add permissions needed by portal log "Copying ${SCRIPT_DIR}/56portal.policy to ${TOMCAT_HOME}/conf/policy.d/" cp ${SCRIPT_DIR}/56portal.policy ${TOMCAT_HOME}/conf/policy.d/ ############################################################################### # Configure Apache ############################################################################### ## Stop apache log "Stopping Apache" /etc/init.d/apache2 stop ## copy in jk mount configuration file if [ -e ${APACHE_CONF}/jk_mount/${JK_CONF} ] then JK_DIFF=`diff ${SCRIPT_DIR}/${JK_CONF} ${APACHE_CONF}/jk_mount/${JK_CONF}` if [ "${JK_DIFF}" != "" ] then log "Backing up ${APACHE_CONF}/jk_mount/${JK_CONF} to ${APACHE_CONF}/jk_mount/${JK_CONF}.${LONG_DATE}" mv ${APACHE_CONF}/jk_mount/${JK_CONF} ${APACHE_CONF}/jk_mount/${JK_CONF}.${LONG_DATE} fi fi log "Copying ${JK_CONF} site file to ${APACHE_CONF}/jk_mount/" cp ${SCRIPT_DIR}/${JK_CONF} ${APACHE_CONF}/jk_mount/ ############################################################################### # Configure Postgres ############################################################################### ## Add the postgres user to the root group usermod -a -G root ${PG_USER} ## create portal database and user log "Creating ${DB_NAME} database schema" su ${PG_USER} -c "dropdb ${DB_NAME}" su ${PG_USER} -c "createdb ${DB_NAME}" log "Creating ${DB_USER} user" su ${PG_USER} -c "dropuser ${DB_USER}" su ${PG_USER} -c "psql -c \"CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASS}'\"" # run the script to create user and tables su ${PG_USER} -c "psql -f ${SCRIPT_DIR}/portal-tables.sql ${DB_NAME}" ## modify pg_hba.conf to allow traffic from each CN IP_ADDRESS=127.0.0.1 for ip in ${IPLIST[@]} do IP_ADDRESS=${ip} PG_HBA_IS_MODIFIED=`grep "${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password" ${PG_CONF}/pg_hba.conf` if [ "${PG_HBA_IS_MODIFIED}" == "" ] then log "backing up ${PG_CONF}/pg_hba.conf to ${PG_CONF}/pg_hba.conf.bak" cp ${PG_CONF}/pg_hba.conf ${PG_CONF}/pg_hba.conf.bak chown postgres ${PG_CONF}/pg_hba.conf chgrp postgres ${PG_CONF}/pg_hba.conf log "appending 'host ${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password' to ${PG_CONF}/pg_hba.conf" echo "host ${DB_NAME} ${DB_USER} ${IP_ADDRESS} 255.255.255.255 password" >> ${PG_CONF}/pg_hba.conf fi done ## modify /etc/postgresql/10/main/postgresql.conf to listen on more than 'localhost' ## original line looks like this: ## #listen_addresses = 'localhost' ## we want this: ## listen_addresses = '*' PG_LISTEN_IS_MODIFIED=`egrep "listen_addresses *= *'\*'" ${PG_CONF}/postgresql.conf` if [ "${PG_LISTEN_IS_MODIFIED}" == "" ] then sed -i.bak "s/\(listen_addresses\s*\=\s*\)'localhost'/\1 '*'/;" ${PG_CONF}/postgresql.conf fi # make sure it is not commented out sed -i.bak "s/#\(listen_addresses\)/\1 /;" ${PG_CONF}/postgresql.conf # enable SSL access for the server PG_SSL_IS_MODIFIED=`grep -P "ssl *= *(?:false|off|no|0)" ${PG_CONF}/postgresql.conf` if [ "${PG_SSL_IS_MODIFIED}" == "" ] then sed -i.bak "s/\(ssl\s*\=\s*\).\+/\1true/;" ${PG_CONF}/postgresql.conf fi # make sure it is not commented out sed -i.bak "s/#\(ssl\s*\=.\)/\1/;" ${PG_CONF}/postgresql.conf # edit the postgresql.conf to use the given certificate/key sed -i.bak --regexp-extended "s/(ssl_cert_file\s*=).*/\1 \'${PUBLIC_SERVER_CERT_ESC}\'/;" ${PG_CONF}/postgresql.conf sed -i.bak --regexp-extended "s/(ssl_key_file\s*=).*/\1 \'${KEY_FILE_ESC}\'/;" ${PG_CONF}/postgresql.conf # make sure it is not commented out sed -i.bak "s/#\(ssl_cert_file\)/\1 /;" ${PG_CONF}/postgresql.conf sed -i.bak "s/#\(ssl_key_file\)/\1 /;" ${PG_CONF}/postgresql.conf ## Restart the postgres db log "Restarting postgres database" /etc/init.d/${PG} restart ############################################################################### # Start Apache and Tomcat ############################################################################### ## Start Apache /etc/init.d/apache2 start ## Start Tomcat log "starting Tomcat server" systemctl start ${TOMCAT} ## Update DateONE Version Info Doc #java -jar /usr/share/dataone-cn-version-tool/dataone-cn-version-tool.jar -F/usr/share/dataone-cn-version-tool/version-tool.properties -html > /var/www/cn-version.html db_stop exit 0